A $1 verified-badge for x402 services — fully autonomous, machine-paid
Source: Dev.to
TL;DR
We just shipped POST /api/v1/verified on x402station – a $1 USDC audit endpoint for x402 service operators.
- Pay once → get a 30‑day signed certificate + HTML/SVG badge to embed in your docs.
- The badge re‑runs the audit on every public‑page render, so it stays honest.
- Eligible services (pulled from our independent probe data) are listed live at x402station.io/verified.
- Pure machine‑to‑machine: your CI bot signs the
X‑PAYMENTheader, no human sign‑ups, no email capture.
Current stats: 59 endpoints in the catalog already meet the criteria.
Why This Exists
Half a year into the x402 agentic‑commerce protocol, two facts are clear:
| Observation | Detail |
|---|---|
| The catalog is noisy | Of ~35 000 active endpoints we probe every 10 minutes, ~17 % are landmines (decoy honeypots, zombie services, dead endpoints). |
| Honest operators have no way to differentiate | A well‑built x402 service looks identical to a malicious $1 000‑USDC honeypot from an agent’s perspective – both return 402 with payment requirements, both expose a .well-known/x402 manifest, both appear the same in the Coinbase Bazaar. |
We have been the oracle for agents:
“Is this URL safe to pay?” → /api/v1/preflight ($0.001 USDC)
Today we ship the operator side:
“Prove my URL is safe to pay.” → /api/v1/verified ($1 USDC)
What You Get for $1
Request
POST https://x402station.io/api/v1/verified
Content-Type: application/json
{
"url": "https://your-endpoint.example.com/route",
"name": "Your Service"
}Response fields
| Field | Type / Description |
|---|---|
certId | UUID v4 |
verified | boolean – true/false with diagnostic pass/fail reasons |
tier | verified or verified_plus (see below) |
badgeUrl | URL to an embeddable SVG badge |
pageUrl | Public verification page |
htmlSnippet | Ready‑to‑paste HTML snippet |
validUntil | ISO‑8601 timestamp (30 days from issuance) |
Embedding the badge
- The SVG re‑fetches every 5 minutes (via
Cache‑Control). - The public page re‑runs the audit on every render – if your service degrades, the badge flips to “failing” within minutes.
- Honesty is enforced by infrastructure, not by a pinky‑promise.
Audit Criteria
Five predicates are evaluated at issuance and on every public‑page re‑check:
| Criterion | Threshold | Rationale |
|---|---|---|
probes_7d | ≥ 20 | Need real signal, not 1‑2 probes |
uptime_7d_pct | ≥ 95 % | Below this agents would routinely fail calls |
| Critical signals | none firing (dead, zombie, decoy_price_extreme, dead_7d, mostly_dead, never_paid_zombie) | Prevent obvious bad actors |
latency_p99_ms | ≤ 5 000 | Long‑tail timeouts ruin agent UX |
price_usdc | $0.0001 – $5 | Sane price range – out‑of‑range = price trap or freebie |
The same predicates drive the live /verified/ re‑check, so the badge can never claim more than the data currently supports.
“Verified” vs “Verified+”
| Tier | Requirements |
|---|---|
| verified | Passes all five baseline criteria |
| verified_plus | Passes baseline and CDP confirms ≥ 1 paid call in the last 30 days (cdp_l30d_calls > 0) |
verified_plus surfaces real‑payer demand. We pull this from the Coinbase CDP raw discovery API – payment‑volume data that probe‑based sources can’t derive (competitors that rely on facilitators only see their own settlements). More details in a forthcoming follow‑up post.
Eligible Services Right Now
Live snapshot:
- 59 endpoints currently pass all five criteria.
- All 59 are verified_plus (CDP‑confirmed real demand).
- Top of the list:
Exa /search–api.exa.aiOtto AI /supported‑tokens–x402.ottoai.services- …and others.
If you operate one of these services, the verification page shows the exact @x402/fetch snippet your CI bot needs to mint a cert. One command, $1 USDC, 30‑day cert.
Why This Is Pure Machine‑to‑Machine (and Not a Stripe Pivot)
x402station’s core principle: no humans as customers. Every endpoint we ship is consumable by an agent without human intervention – no email sign‑ups, no OAuth, no dashboard logins.
The verified‑badge endpoint preserves this:
- Your CI bot signs the
X‑PAYMENTheader with your wallet’s private key. - We verify the payment via Coinbase CDP’s facilitator.
- We INSERT the cert row and return the response with embed‑ready URLs.
- Your CI bot can store the badge URL in a CI‑managed env file or commit it into your README.
The only “human” step is the initial decision to set up the CI step. After that, renewal is whatever schedule the CI bot wants – every 25 days, weekly, daily. Pre‑paid USDC sits in the bot’s wallet.
Distribution
| Asset | URL |
|---|---|
| Endpoint manifest (machine‑readable) | https://x402station.io/.well-known/x402 |
OpenAPI spec (12 operations, includes verifiedBadge & getVerifiedCertificate) | https://x402station.io/api/openapi.json |
A2A agent card (8 skills, verified listed) | https://x402station.io/.well-known/agent-card.json |
| Coinbase Bazaar (auto‑indexed via the bazaar extension – search “verified” in their discovery API) | — |
MCP tool surface (forthcoming in x402station-mcp v1.1.0) | — |
What’s Next
A single $1 cert from a single provider validates the channel. Two open questions:
- Will providers actually mint?
The eligibility list shows 59 candidates. We’ll watch settlement count over the next 7 days. - Does the badge drive agent traffic to verified endpoints?
We probe everything anyway – easy to A/B over time.
If you operate an x402 service and would benefit from a trust signal embeddable in your docs, check the eligibility page at x402station.io/verified.
If your endpoint isn’t there, fix the failing criterion first — then run the curl.
Feedback
Questions, methodology pushback, or weird edge cases? Open a GitHub Issue or email us at hello@x402station.io.
@x402station.io